[Snort-users] disable Verifying Preprocessor Configurations

Russ Combs rcombs at ...1935...
Thu Jul 7 18:35:28 EDT 2011


On Thu, Jul 7, 2011 at 6:30 PM, Hussein Bahaidarah <husseinb at ...11827...>wrote:

> Thanks Russ,
>
> You have clearly explained the issue. Would you please tell me which search
> method is better to conserve memory and yet still performs will with the
> fast pattern?
>

Check the settings for "config detection" in the snort manual.

>
> Thanks,
>
>
> On Jul 8, 2011, at 12:05 AM, Russ Combs wrote:
>
>
>
> On Thu, Jul 7, 2011 at 5:57 PM, Hussein Bahaidarah <husseinb at ...11827...>wrote:
>
>> Hello,
>>
>> 50K might be a lot. However, none of them need a preprocessor. My concern
>> is why preprocessing verification is still taking place?
>>
>
> It is verifying an empty list of preprocessors.  Happens very quickly.  :)
> That line is always output.
>
> The next step has to do with fast pattern setup and that is what is taking
> some time.
>
>
>> On Jul 7, 2011, at 11:46 PM, Joel Esler wrote:
>>
>> You are loading 50 thousand rules, and you are wondering why Snort is
>> taking a long time to start up?
>>
>>
>> On Jul 7, 2011, at 5:25 PM, Hussein Bahaidarah wrote:
>>
>> > Hi,
>> >
>> > Yes, all lines are commented out. by the way, I am using beta version
>> 2.9.1. Snort initialization shows that no preprocessor rules are used.
>> >
>> > +++++++++++++++++++++++++++++++++++++++++++++++++++
>> > Initializing rule chains...
>> > 50001 Snort rules read
>> >   50001 detection rules
>> >   0 decoder rules
>> >   0 preprocessor rules
>> > 50001 Option Chains linked into 1 Chain Headers
>> > 0 Dynamic rules
>> > +++++++++++++++++++++++++++++++++++++++++++++++++++
>> >
>> > On Jul 7, 2011, at 9:46 PM, waldo kitty wrote:
>> >
>> > On 7/7/2011 15:26, Hussein Bahaidarah wrote:
>> >> Hello,
>> >>
>> >> I am not using any preprocessor.
>> >
>> > really? no preprocessors at all?? each and every one of them are
>> commented out
>> > in your snort.conf?
>> >
>> >> However, still snort does the "Verifying Preprocessor Configurations"
>> step at the loading stage. Is there any way to turn this off as it takes
>> long time as the rule file grows.
>> >>
>> >> "
>> >> Rule application order:
>> activation->dynamic->pass->drop->sdrop->reject->alert->log
>> >> Verifying Preprocessor Configurations!
>> >> "
>> >>
>> >> Thanks
>> >
>> >
>> ------------------------------------------------------------------------------
>> > All of the data generated in your IT infrastructure is seriously
>> valuable.
>> > Why? It contains a definitive record of application performance,
>> security
>> > threats, fraudulent activity, and more. Splunk takes this data and makes
>> > sense of it. IT sense. And common sense.
>> > http://p.sf.net/sfu/splunk-d2d-c2
>> > _______________________________________________
>> > Snort-users mailing list
>> > Snort-users at lists.sourceforge.net
>> > Go to this URL to change user options or unsubscribe:
>> > https://lists.sourceforge.net/lists/listinfo/snort-users
>> > Snort-users list archive:
>> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>> >
>> > Please see http://www.snort.org/docs for documentation
>> >
>> >
>> >
>> ------------------------------------------------------------------------------
>> > All of the data generated in your IT infrastructure is seriously
>> valuable.
>> > Why? It contains a definitive record of application performance,
>> security
>> > threats, fraudulent activity, and more. Splunk takes this data and makes
>> > sense of it. IT sense. And common sense.
>> > http://p.sf.net/sfu/splunk-d2d-c2
>> > _______________________________________________
>> > Snort-users mailing list
>> > Snort-users at lists.sourceforge.net
>> > Go to this URL to change user options or unsubscribe:
>> > https://lists.sourceforge.net/lists/listinfo/snort-users
>> > Snort-users list archive:
>> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>> >
>> > Please see http://www.snort.org/docs for documentation
>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> All of the data generated in your IT infrastructure is seriously valuable.
>> Why? It contains a definitive record of application performance, security
>> threats, fraudulent activity, and more. Splunk takes this data and makes
>> sense of it. IT sense. And common sense.
>> http://p.sf.net/sfu/splunk-d2d-c2
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>> Please see http://www.snort.org/docs for documentation
>>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110707/e5a83114/attachment.html>


More information about the Snort-users mailing list